From 0e30028db029093d82c3b1171527cf274d24b3a8 Mon Sep 17 00:00:00 2001 From: Jethro Date: Thu, 19 Mar 2026 22:32:10 +1300 Subject: [PATCH] messing around with testing contabo storage and getting bws secrets --- infrastructure/velero/contabosecret.yaml | 36 +++++++++-------- infrastructure/velero/namespace.yaml | 4 ++ secrets/test.yaml | 50 +++++++++++++++++------- 3 files changed, 60 insertions(+), 30 deletions(-) create mode 100644 infrastructure/velero/namespace.yaml diff --git a/infrastructure/velero/contabosecret.yaml b/infrastructure/velero/contabosecret.yaml index ecfee97..dde5d8b 100644 --- a/infrastructure/velero/contabosecret.yaml +++ b/infrastructure/velero/contabosecret.yaml @@ -1,20 +1,24 @@ -apiVersion: external-secrets.io/v1 -kind: ExternalSecret +apiVersion: k8s.bitwarden.com/v1 +kind: BitwardenSecret metadata: name: contabo-s3-creds namespace: backups spec: - refreshInterval: 1h - secretStoreRef: - name: your-secret-store - kind: ClusterSecretStore - target: - name: contabo-s3-creds - creationPolicy: Owner - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - key: contabo-access-key - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - key: contabo-secret-key \ No newline at end of file + secretName: contabo-s3-creds + organizationId: 0df293ad-6afb-4d0b-b3ff-b41000581de5 + # This references infrastructure/bitwarden/bitwardenaccesstoken.enc.yaml. + # The auth token secret must exist in the same namespace as this BitwardenSecret. + authToken: + secretName: bitwarden-access-token + secretKey: token + useSecretNames: false + onlyMappedSecrets: true + map: + - bwSecretId: cd2d61e8-2e6e-46e8-870e-b410005a2e1e + secretKeyName: AWS_ACCESS_KEY_ID + - bwSecretId: 17195fbc-89e9-45be-a3ab-b410005a4a5d + secretKeyName: AWS_SECRET_ACCESS_KEY + - bwSecretId: 3b71b5f9-0ce3-4036-8096-b4100059cc75 + secretKeyName: CONTABO_CLIENT_ID + - bwSecretId: e88eabb8-36bd-4f4d-b0c7-b410005a0d61 + secretKeyName: CONTABO_CLIENT_SECRET \ No newline at end of file diff --git a/infrastructure/velero/namespace.yaml b/infrastructure/velero/namespace.yaml new file mode 100644 index 0000000..33fa874 --- /dev/null +++ b/infrastructure/velero/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: backups diff --git a/secrets/test.yaml b/secrets/test.yaml index 44a4d93..d06aabe 100644 --- a/secrets/test.yaml +++ b/secrets/test.yaml @@ -2,29 +2,51 @@ apiVersion: batch/v1 kind: Job metadata: name: contabo-test - namespace: security + namespace: backups spec: + backoffLimit: 0 template: spec: restartPolicy: Never containers: - - name: test - image: ppatlabs/bitwarden-cli + - name: s3-test + image: amazon/aws-cli:2.17.37 command: - - sh - - -c + - /bin/sh + - -ec - | - echo "Logging into Bitwarden..." - bw login --apikey || true + test -n "$AWS_ACCESS_KEY_ID" + test -n "$AWS_SECRET_ACCESS_KEY" + test -n "$CONTABO_ENDPOINT" + test -n "$CONTABO_BUCKET" - echo "Fetching secrets..." - bw list secrets > /tmp/secrets.json + TS="$(date +%s)" + KEY="k8s-contabo-test/${TS}.txt" + BODY="contabo write test from ${HOSTNAME} at ${TS}" - echo "Secrets output:" - cat /tmp/secrets.json + printf '%s\n' "$BODY" > /tmp/test.txt + + aws --endpoint-url "$CONTABO_ENDPOINT" s3 cp /tmp/test.txt "s3://$CONTABO_BUCKET/$KEY" + aws --endpoint-url "$CONTABO_ENDPOINT" s3 cp "s3://$CONTABO_BUCKET/$KEY" /tmp/test-read.txt + + grep -F "$BODY" /tmp/test-read.txt + + aws --endpoint-url "$CONTABO_ENDPOINT" s3 rm "s3://$CONTABO_BUCKET/$KEY" + echo "Contabo object storage write/read/delete test passed." env: - - name: BW_ACCESS_TOKEN + - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - name: bitwarden-access-token - key: token \ No newline at end of file + name: contabo-s3-creds + key: AWS_ACCESS_KEY_ID + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: contabo-s3-creds + key: AWS_SECRET_ACCESS_KEY + - name: CONTABO_ENDPOINT + value: "https://eu2.contabostorage.com" + - name: CONTABO_BUCKET + value: "test" + - name: AWS_DEFAULT_REGION + value: "us-east-1" \ No newline at end of file